Bug 730062

Summary: LightDM fix for CVE-2011-4105 is incomplete
Product: [openSUSE] openSUSE 12.1 Reporter: Forgotten User cAXlJ_FoSf <forgotten_cAXlJ_FoSf>
Component: XfceAssignee: Forgotten User cAXlJ_FoSf <forgotten_cAXlJ_FoSf>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User cAXlJ_FoSf 2011-11-13 18:36:03 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

From http://www.openwall.com/lists/oss-security/2011/11/09/6:

---->8----
Date: Wed, 09 Nov 2011 10:47:17 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: kseifried@...hat.com
Cc: oss-security@...ts.openwall.com, Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: Re: [LightDM] Version 1.0.6 released

[...]

BTW, the fix that is in 1.0.6 is probably not enough for distros that
don't implement hard link restrictions, such as the Yama LSM that is
used in Ubuntu.

Marc.
----8<----

LightDM 1.0.6 is thus still vulnerable to hardlink attacks on openSUSE. The right solution is to remove the offending code that corrects the ownership of users' .Xauthority files altogether, it is irrelevant for openSUSE anyway since the version of LightDM that created .Xauthority files with wrong ownership was never part of a release openSUSE version and this can also be easily fixed by hand.
This only affects 12.1, the fix is already in Factory.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Forgotten User cAXlJ_FoSf 2011-11-16 22:14:19 UTC 
This is a security issue and the fix needs to go into 12.1 as well.
Comment 2 Ludwig Nussel 2011-11-17 15:06:25 UTC 
handled in the submission for bug 728627

*** This bug has been marked as a duplicate of bug 728627 ***